Computer-implemented cryptographic method for improving a computer network, and terminal, system and computer-readable medium for the same

ABSTRACT

A method at a terminal in a multiple-node digital communications network, comprising any one or more of: generating at least one symmetric first key(s), across all participating nodes in the multiple-node digital communications network and securely distributing the at least one first key(s) in encrypted form to multiple participating nodes of the multiple-node digital communications network, using at least one asymmetrically established second key(s), the participating nodes including at least one message-transmitting node(s) and at least one message-receiving node(s); generating at least one symmetric third key(s) for one or more communication session that includes one or more communications from the at least one message-transmitting node(s) to the message-receiving node(s); encrypting at least one payload message using the at least one third key(s) at the at least one message-transmitting node(s), sending the encrypted at least one payload message, and receiving the encrypted at least one payload message at the at least one message-receiving node(s); encrypting the at least one third key(s) using the at least one first key(s), sending the encrypted at least one third key(s), and receiving the encrypted at least one third key(s) at the at least one message-receiving node(s); decrypting the at least one third key(s) using the securely distributed at least one first key(s), at the at least one message-receiving node(s); and decrypting the at least one encrypted payload message using the decrypted at least one third key(s), at the at least one message-receiving node(s). A terminal, system, and computer readable medium are also disclosed.

STATEMENT CONCERNING RELATED PATENT APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 15/268,532 filed Sep. 16, 2016, now U.S. Pat. No. 9,756,024,which itself claims priority to U.S. provisional patent application Ser.No. 62/284,038, filed on Sep. 18, 2015, both of which are herebyincorporated by reference herein, in its entirety.

TECHNICAL FIELD

The present disclosure relates to a computer-implemented cryptographicmethod for one or more of increasing data processing efficiency andimproving data security, of any one or more computer(s),microcontroller(s) or microprocessor(s) that are communicativelyconnected to a digitally stored and digitally operated networkcomprising one or more controller area network (CAN) bus, localinterconnect network (LIN) bus or related computer network; and aterminal, a system and a computer-readable medium for the same.

BACKGROUND

A motor vehicle may be viewed as a distributed network with multiplecommunication nodes spread throughout the network defined by one or moreof: the semiconductors or other hardware (MCU/MPU/SoC or ECU) used, thehardware interconnect, and finally the hardware purpose or function.Each node has one or more granularly defined function(s). The standardcommunication protocols utilized in the majority of modern vehicle makesand models were defined years ago and therefore are limited in networkbandwidth, with 8 byte, 4 byte and 2 byte message size limitations ofthose networks being a common configuration. Some of the more commonautomotive network protocols are, for instance, controller area network(CAN) and local interconnect network (LIN). Newer standards have beendefined (e.g., CAN FD); however generally those new network standardshave yet to be widely adopted by the automotive industry due to cost andother engineering constraints.

As automobiles and other motor vehicles are increasingly connected,e.g., to the internet via 3G or 4G connections, and gain broadbandEthernet access, hackers are able to exploit new attack surface(s).Hackers have recently been successful at hacking and gaining control ofvehicles such as the widely publicized (July 2015) hack of a Jeep® GrandCherokee®, which was illicitly remotely controlled and driven off theroad by two hackers, from the comfort of their home miles away, wieldingnothing except a laptop and an internet connection.

It would be desirable to provide a more effective method of creating,e.g., CAN bus (or LIN bus) digital privacy management. Most experts,however, expect that it would be very difficult, if not impossible, toachieve a secure CAN bus.

SUMMARY

This disclosure includes, but is not limited to, the following aspectsof securing the network(s):

First and second aspects of the disclosure may or may not be directed torespective method and computer readable medium (or alternatelythroughout “computer storage apparatus”) causing operations, for eachcomprising any one or more of:

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

Third and fourth aspects of the disclosure may or may not be directed torespective processor-based terminal and processor-based system for, eachcomprising any one or more of, (1) at least one processor; and at leastone memory storing instructions that, when executed by the at least oneprocessor, cause the at least one processor to cause, and (2) a moduleor means for, any one or more of:

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

Additional or alternative aspects of the disclosure are found in theappended claims. Further aspects, embodiments, features, and advantagesof the embodiments, as well as the structure and operation of variousembodiments are described in detail below with reference to accompanyingdrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the accompanying drawings, which form a part of the specification andare to be read in conjunction therewith, and in which like referencenumerals are used to indicate like features in the various views:

FIG. 1 is a schematic diagram of an exemplary network comprising one ormore controller area network (CAN) bus computer network environment(s),in which embodiments may be implemented;

FIG. 2 is a diagram of software components, according to embodiments;

FIGS. 3a-3e are flow diagrams showing exemplary operations, according toembodiments;

FIG. 4 is a schematic diagram of at least three exemplary digitallystored and digitally operated computer network environments, in whichembodiments may be implemented;

FIG. 5 illustrates an example computer useful for implementingembodiments, along with several network features that may be used inembodiments; and

FIG. 6 illustrates an exemplary embodiment of the computer of FIG. 5 ina mobile terminal.

DETAILED DESCRIPTION

Embodiments of the disclosure are concerned with the calculation of oneor more data set transformation instructions, in certain cases thetransmission of those instructions to at least one local or remote CANbus, LIN bus, or remote computer(s) (e.g., but not limited to, anycombination of one or more of, a bank of, and geographically disparatecommunicatively connected, server(s) that manipulate or monitor data).Ultimately, though not in certain method, terminal, system andcomputer-readable media embodiments, these instructions may or may notalso be executed at one or more networks comprising CAN bus or LIN busmicrocontroller(s), server(s), storage device(s) or other computerhardware holding or capable of encrypting/decrypting data being operatedon. Ultimately, the data available for unauthorized viewing, hacking ormanipulating on networked CAN bus, LIN bus or related computer networksare reduced.

Though un-expectantly, it becomes apparent that data security andtechnological leveraging seemingly cannot coexist, creating atechnically derived tension. For example, every system of a modernautomobile, whether manually-driven or automatically-operated, either ofwhich using locally-or-remotely-generated instructions, is subject tohacking, and thus partial or complete unauthorized control or viewing.This unprecedented danger can be attributed to the technicalefficiencies provided by its particular digital interaction platform.Other non-CAN networks outside of each vehicle present similarchallenges.

Embodiments herein reduce one or more of the storage space required tostore data, the bandwidth required to aggregate and calculate data, andthe computing resources, time, and energy previously required securelyto function, especially as regarding management of sensitive automotiveoperational data.

Embodiments herein include means to secure the distributed networksinternal to an environment (for example an automobile), with negligibleimpact on existing bandwidth constrained internal networks (e.g., CANbus, LIN bus, etc.).

Embodiments herein may or may not be specifically designed forencrypting message payloads at 8 byte, 4 byte and 2 byte boundaries mayor may not and do so within a three millisecond threshold defined asnecessary for real-time automotive applications. These features supportnot only preventative measures such as encryption, but alsocounterattack measures designed to crash rogue nodes or leverage BigData to identify the source of a nefarious attack.

Embodiments may or may not be installed (and in current use) running onup to all nodes connected to a CAN bus, LIN bus or related computernetwork and provide end-to-end encryption and key management overexisting automotive distributed networks.

In embodiments, instructions work at the application layer by encryptinga message payload using a cipher.

In embodiments, key management technology is implemented via anencrypted virtual channel and may or may not be used to send new sessionkey(s) to all nodes on a network at any one of more of variable,predetermined, regular, period and random frequency.

In embodiments, certain of the herein-indicated non-limiting technicaladvantages and/or others, each of which depend upon what particularcombination of features disclosed herein is found in an embodiment, arerealized only upon persistent and arduous study through both (a)discovering the very existence of the above-indicated technical tension,and (b) inventing the technical solutions disclosed in part herein.

In embodiments, resulting advantages may or may not include, but are notlimited to, one or more of:

(1) Encrypting messages in automotive distributed internal networksincluding CAN and LIN buses for use in real-time automotive applicationswith a negligible impact on performance of the bus and within, e.g., a<3 milliseconds cycle time threshold required for such automotiveapplications;

(2) Securely establishing a master key among all participating nodes.

(3) Securely distributing new session keys to participating nodes on thecommunication bus over an encrypted virtual channel at either periodicor pseudo-random intervals;

(4) Initiating a counterstrike attack against a rogue node (hackernode), which may include but is not limited to: crashing the rogue node,leveraging Big Data and commercial analytics engines to discover themachine identity and location of the hack origin, or other unknowninformation.

(5) Performing one or more of the other advantages, withoutmodifications to existing application message protocol or additionalhardware cost.

(6) Performing one or more of the other advantages, while being one ormore of hardware architecture agnostic, operating system agnostic,transport agnostic regarding use on non-CAN transports, and cipheragnostic.

In embodiments, operations by which data set transformations are madeimprove data security by preserving or reclaiming the privacy of certaindata.

In embodiments, operations by which data set transformations are madeincrease system operational efficiency at each terminal.

In embodiments, operations by which data set transformations are madestrike an optimal balance between improving data security by preservingor reclaiming the privacy of data strings and objects on the one hand,and increasing system operational efficiency, on the other hand, all thewhile allowing continued data exchange and aggregation between one ormore computers communicatively connected to at least one digitallystored and digitally operated CAN bus, LIN bus or related computernetwork.

Referring to FIGS. 1-6, the following describes a cryptographic systemfor securing a network comprising one or more CAN bus(es), LIN bus(es)or related computer network(s) by using at least two keys: (1) One ormore master key(s) (MK) which can be used to encrypt any messagetransmitted between one or more nodes in network 100 and in particularis used to encrypt session key(s); and (2) one or more session key(s)(SK), which may or may not be used for secure message transmissionbefore being discarded.

In embodiments, both MK and SK are symmetric keys which are used toencrypt messages using an ultra-lightweight encryption (ULWE) protocol.

In embodiments, a master key is first generated when a network starts tooperate and optionally may or may not be replaced during that use of anetwork. The time at which the master key is replaced is customizable bya user who configures the network.

In embodiments, network 100 performs one or more of the following:enables secure encryption across a network of nodes by repetitivelychanging the key by which data encryption occurs; provides a method forsecure master key establishment across one or more nodes in a networkconstrained by an 8 byte CAN bus or LIN bus; stores both a staticwhitelist based authentication process to establish initialparticipants, and a runtime authentication process that does not impactspeed or size of message transmission; and provides securesynchronization of cryptographic session key establishment across one ormore nodes.

One practice in a network is to encrypt all data before transmission aseffective encryption will prevent unauthorized users of a network frominitiating operations at any node in that network (e.g. CAN bus in avehicle), unauthorized authentication of one or more unauthorized nodesand other attacks on one or more messages sent within that network (e.g.changing one or more bits in a message). In practice this is notcurrently done for CAN bus or LIN bus because it is thought by those ofreasonable skill in the art that one or more of the following reasonsapply: (i) costs would increase due to greater processor requirements toperform security checks (authentication) in real time, (ii) there wouldbe a latent drag in message transmission (due to encrypting two or moremessages together to match the block cipher size), (iii) it isimpractical due to smaller code size being required to encrypt IVN CANbus, LIN bus or related computer networks data, (iv) asymmetric keyestablishment processes generally cannot be used in the encryptionprocess in these constrained networks as they are utilized for real-timeapplications due to latency (needing to wait for a larger amount of datato pass through and be processed by the system to implement theencryption). In embodiments of this disclosure, it is possible tosecurely encrypt, decrypt and authenticate all messages in a CAN bus,LIN bus or related computer networks without significantly increasingthe processing requirements of the system, without adding materiallatency to the system, thereby adding an extra layer of security to thedata sent within such a network.

FIG. 1 shows network 100 connecting one or more of domain controller(s)(DC) 2-6 in a network with one or more node(s) 111-133 connected via aCAN bus. Each of the domain controller(s) 2-6 may or may not be treatedas a node(s) in addition to node(s) 111-133. Different CAN bus systemsexist, therefore all references herein to “CAN bus” include, but are notlimited to, any system transmitting 8 or more bytes of data in each datapacket including but not limited to any variations of a CAN bus systemthat are currently known or may be designed in the future, and any othernon-CAN bus system transmitting packets of data equal to or more than 8bytes in size. Examples of such networks include but are not limited toCAN bus, CAN bus 2.0, CAN FD, LIN bus, Ethernet, etc., any combinationof one or more of which may be used to control the network(s)controlling the engine 101, transmission 103 or power 105, or any otherfunctions over a network, and networks LIN 107, MOST 109, FlexRay 110.The network 100 can also be externally connected to one or moreterminal(s) using any form of connection known presently or known in thefuture e.g. one or more of the non-limiting examples of GPRS/GSM 97, theCloud 90, GPS 91, USB 92, DSRC 95, Bluetooth® 96 or internally to one ormore processing units for example Diagnostics 98.

In embodiments, domain controller 2-6 has the same computationalcapability as any other node with which the domain controller(s) isconnected. The domain controller(s) is distinguished by its ability tostore data such as one or more key in a secure memory so that the one ormore key may be distributed. The domain controller(s) receives groupelements from one or more node(s) and distributes its group element toone or more node(s). All group elements are calculated using anasymmetric key establishment protocol or some other protocol which mayor may not utilize the physical properties of the network itself. Thesame protocol is used at both the domain controller(s) and the one ormore node(s) so no additional computing capability is required by thedomain controller(s).

In embodiments, node(s) 111-133 in the CAN bus includes one or more ofthe following non-limiting examples of hardware: microcontroller unit,electronic controller unit, CAN transceiver, SoC small computer, smartphone, laptop, PC and Mac.

In embodiments, any connection between node(s) 111-133 comprises one ormore wire(s), fiber optic cable(s), wireless (electromagnetic signal)connection(s) or some other connecting medium.

In embodiments, information is required to be sent across one or moreCAN bus from one or more DC to one or more electronic control unit (ECU)to implement one or more instruction(s) at each node(s) 111-133.

Herein, messages and information are both synonymous with a string ofone or more binary digits, “bits”, although other representations ofinformation are possible. There is no loss of generality in thisassumption as it is known all information can be expressed as a seriesof zeroes and ones, i.e. in binary form, and therefore represented inthe form of a string of bits. Instruction(s), however, are taken toinclude the code implementing a specific function of a feature at one ormore node(s) 111-133.

In embodiments, messages that are to be sent to one or more node(s)111-133 are encrypted using a symmetric key protocol and then sent tothose one or more node(s) 111-133 and the key with which messages areencrypted will change. The frequency with which the key changes may ormay not be random. After each change the next change may or may notoccur in the next unit of time, i.e. key changes may or may not occur inan unpredictable manner. Repetitively changing the key results in addednoise to message transmissions thereby preventing any attack to thesystem as any given message transmitted cannot easily be assigned to thekey used to encrypt it and therefore each message cannot be decrypted byan attacker.

In embodiments, resulting encryption system(s) can be used for securingone or more area such as network 100 which may be securing any of thenon-limiting examples of house(s), building(s), boat(s) or any otherarea containing a CAN bus or computer network.

Unless stated otherwise, herein users of a system (users) include one ormore of the owner or authorized operator of the system transmittingencrypted messages, an authorized person known to that user, and themanufacturer of the system being used.

Software Modules

FIG. 2 illustrates several embodiment(s) of secured network 200 modulesand software components, and operation of the same are described asfollows in detail.

1. secured network 200

a. master key and static authentication module 201

b. session key distribution 202

c. runtime authentication 203

d. ultra-lightweight encryption 204

In embodiments, master key and static authentication module 201 providesa method for securely generating one or more master key for allparticipant nodes using a multi-node variant of an asymmetric keygeneration algorithm (e.g., the non-limiting example of the DiffieHelman key exchange protocol; in embodiments any other suitableasymmetric key generation protocol may be selected by a user andimplemented, or in the case of a CAN bus or LIN bus, optionally by usingthe inherent electrical properties of those buses).

In embodiments, in order to determine the validity of all participants,once the master key has been generated by all participants, eachparticipant sends an encrypted version of their unique identifier(unique ID) to their associated domain controller, DC 2-6. The domaincontroller 2-6 has a list of valid unique ID(s) ‘a whitelist’. Inembodiments, this whitelist is established at one or more of thefollowing times: installation during manufacture at the factory, or alater time when the network can be updated securely either remotely orlocally.

In embodiments, each node's unique ID is validated against the whitelistat DC 2-6. Whenever an invalid unique ID is presented or a unique ID ispresented more than once, an invalid node is detected. The staticauthentication processor at DC 2-6 reports an ‘invalid node’notification and in embodiments optionally deploys one or morecountermeasures to the extent possible.

In embodiments to generate a master key, each node generates its owngroup element 301. This is done by implementing any desired asymmetrickey generation protocol. Embodiments allow a user to select anasymmetric protocol. Examples of such protocols include but are notlimited to Diffie Hellman Key Exchange, RSA or key derivation based onthe electrical properties of a targeted bus.

In embodiments, protocol(s) used to establish one or more master key(s)over a network may or may not use properties inherent to the network orits constituent parts to generate a secret number which is known at oneor more node(s). (For example, in a CAN bus one stage of data transfermay be designed for contention resolution (arbitration) between nodes.During arbitration phase(s), all nodes may transmit simultaneously, andthe electrical properties of the CAN bus arbitrates what node is allowedto proceed to the data phase. When this CAN bus is used as an AND gatebetween all nodes, in this phase logical ‘0’ is treated as a dominantbit and logical ‘1’ is treated as a recessive bit. If any node transmitsa ‘0’ bit, the bus will obtain an effective state of ‘0’ for that bit,even if all the other nodes transmit a ‘1’ for the same bit. By usingthis property of the CAN bus one or more times, an asymmetric keycomprising one or more bit(s) of data is shared secretly and a symmetricsecond key may be distributed without the computational cost of atraditional asymmetric algorithm.

In embodiments, arbitration phase(s) are any practical length in timeand can be started and stopped at any predetermined time. Duringarbitration phase(s), secret information may or may not be extractedfrom data transmissions sent from nodes and stored securely in domaincontroller(s) 2-6. These secret data may be used at a later point intime to establish a new (but optionally, numerically or computationallydifferent) transient key without the computational load of asymmetricencryption.

In embodiments a public key (r) and public modulus (m) are selected andused. The same public key and modulus are used at each node connected toa particular domain controller 2-6.

In embodiments, each node derives a private key using one or more ofrandom data values, a bank of pseudo-random data or non-random datavalues.

In embodiments, some random data used to derive a private key is fromthe lower order bits or combination thereof from one or more types ofsensors whose values are available. (E.g., the lower order bits of anaccelerometer and/or thermometer, when combined should provide enoughentropy to provide near true randomness.)

Now referring to FIGS. 3a and 3b , in embodiments, a private key at eachnode is combined with a public key and modulus to generate a groupelement (g) at that node (e.g., 301). For example, these three valuescan be combined to calculate an individual group element (g) such thatg=(r.sup.k) mod (m).

In embodiments, when the domain controller has calculated its groupelement, it transmits that group element to all the other participatingnodes on the same network. Each node also transmits its own groupelement to a domain controller 302. Nodes and the domain controller useDiffie Hellman or another suitable asymmetric key establishment protocolto compute each transient key (T). Each node computes a unique transientkey by combining its group element and the group element of the domaincontroller 303. The domain controller computes each node's transient key304. The domain controller derives the master key using one or morerandom data values which may or may not be obtained in the one or moremethods detailed above from sensor data 305.

The domain controller encrypts a master key with each transient key (T)using a predetermined symmetric encryption algorithm and sends theencrypted master key to each node 306. Each node receives the master keyfrom the domain controller encrypted with their own transient key, anddecrypts the master key using their own transient key (T) and the samepredetermined symmetric encryption algorithm so that each node obtainsthe master key 307. At the completion of this process, all nodes on thesame network will share the same master key. FIG. 3b shows a physicalrepresentation of the transmission of data above when establishing amaster key. The process occurs between the domain controller and the oneor more node(s). 301-304 shows steps above where data is transferred inboth directions; 305-306 shows steps where data is sent from the domaincontroller to node(s) and 307 is a step where decryption occurs at eachnode and no data channel is required.

In embodiments, each node encrypts its unique ID with the master key andsubmits its unique ID to the domain controller 308. The domaincontroller receives each node's unique ID and decrypts it. The domaincontroller 2-6 validates each unique ID against the whitelist of uniqueID(s) 309, which is stored in secure memory, and is either preprogrammedat the factory, or updated locally or remotely. If an invalid unique IDis detected or even a valid unique ID is used and an anomaly is detected(such as multiple submission, or invalid positioning, etc.) it isinterpreted as ‘invalid node detected’.

In embodiments, notification(s) of invalid node(s) may or may not besent 310 and one or more countermeasures may or may not be deployed 311.Countermeasures comprise but are not limited to: locating and disablingthe node, bus shutdown, total system shutdown, as configured by thecustomer, manufacturer, or other concerned party.

Referring to FIG. 3c , in embodiments, session key distribution module202 provides a method for domain controller(s) 2-6 to generate andsecurely distribute symmetric random or non-randomly generated sessionkeys 321 at random or non-random intervals to participating nodes.

In embodiments, a domain controller may also derive a session key fromthe lower order bits or combination thereof from one or more types ofsensors whose values are available. (e.g. the lower order bits of anaccelerometer and/or thermometer, when combined should provide enoughentropy to provide near true randomness.)

In embodiments, a next session key 321 is generated, at any frequencythat is sufficient to achieve the aims of securing the data transmittedby encrypting with a repetitively changing key. For example, the sessionkey 321 could change 10 times per second.

In embodiments, the session key generated is an 8 byte session key 322and ensures the session key will match a pre-defined heuristic (forexample all bytes must be modulated as an ASCII digit zero to nine orsome other well-defined set of values expressible in each byte). Thesession keys are encrypted with the master key using anultra-lightweight encryption scheme 323 and sent across the CAN bus, LINbus or related network transport 324.

In embodiments the ultra-lightweight encryption scheme is customizablei.e. a user may or may not wish to change a preset encryption scheme onthe system. A user interface allows this selection to be made.

In embodiments, the session key at each node is transmitted on one ormore of the same channel(s) as instructional data (message ID(s)) or adifferent channel. When session keys are transmitted on the message IDdata channel, this is referred to as a virtual channel, because of thevirtual recognition of the session key at the one or more receiving nodeby way of 325-327. The session keys are sent in-between the datamessages and are discovered by the recipient node by performing adecryption with the master key 325. When the resultant plaintext matchesthe heuristic, it is known to be a valid session key 326 and saved bythe recipient node 327. The recipient node uses the new session key toencrypt future data messages until a new session key is received.

Referring to FIG. 3d , in embodiments, runtime authentication module 203provides a method to authenticate messages from nodes based on theirmessage ID. If either the transmitting or receiving nodes cannot providevalid credentials to this module, required to synchronize the messageID, they will not be able to communicate. Both the transmitting &receiving nodes must provide the following information: (i) a sessionkey 331 (ii) a group identifier 332 (iii) a group range 333. Module 203computes the current message ID 334 modulated to the group range basedon the inputs 331-333. If the node is sending data 335, data is sentacross the modulated message ID channel 337. If the node is attemptingto receive data, data is only read from the modulated message ID channel336. If either node cannot provide all three credentials, thecommunication is viewed as inauthentic, and the message is discarded.

In embodiments, any appropriate countermeasures to inauthentic nodes areenacted. Countermeasures comprise but are not limited to: locating anddisabling the node, bus shutdown, total system shutdown, as configuredby the customer, manufacturer, or other concerned party.

Referring to FIG. 3e , in embodiments, an ultra-lightweight encryptionmodule 204 provides a method for encryption/decryption using existingultra-lightweight encryption modules suitable for use on block sizesdown to 8 bytes. In embodiments with a selectable cipher, multipleciphers may or may not be pre-integrated for user selection. Duringpre-integration or afterwards, callbacks allow the user to integratetheir own cipher(s) based on their requirements. Module 204 requires theuser to specify the encryption key 341 and the data message 342.

In embodiments, one or more cipher may be substituted for the one ormore cipher that is used. If one or more substitution(s) is made this isachieved by one or more of: using a switch, selecting an option on agraphical user interface, being chosen by the user after manufacture insome other manner or being chosen by the user or some other designatedperson at the time of manufacture in any manner at all.

Examples include the following non-limiting encryption protocolconfiguration options: Simon (NSA), Speck (NSA), and Treyfer.

In embodiments, when the operation is from a transmitting node 343 thenthe data message is encrypted with the session key using the selectedcipher 345. When the operation is being requested by a receiving node,the data is decrypted with the session key using the selected cipher344. The ultra-lightweight encryption module may or may not be usedprogrammatically to encrypt or decrypt data without regard to thetransmission of that data.

In embodiments, the secured network module 200 is the softwaredevelopment kit (SDK) which ties all of the sub-modules 201-204 togetherunder a single application programming interface (API) to provide thecomplete security solution.

In embodiments each sub-module may be disabled or enabled according tothe user selection and all configuration options for each module may ormay not be specified and executed in a manner as shown in FIG. 2.

In embodiments, operationally the secured network module firstestablishes a master key securely among all participating nodes, beforesending a respective encrypted message payload. This uses, for example,a master key establishment and static authentication module as shown in201. The master key is a symmetric key, which may be any number ofbytes/bits as may be needed to meet user or manufacturer requirements.The master key anchors a root chain of trust and in embodiments is usedto encrypt session keys.

In embodiments, a user who configures, or manufacturer may or may notchoose to obtain a master key via some other method. A master key may ormay not be programmatically modified similarly on each node. When amaster key has been established, a session key distribution module isinvoked as shown in 202. When a session key has been synchronized acrossall participating nodes, runtime authentication may or may not beenacted as described in 203. This provides a runtime message ID foreither transmission or receipt of a data message. A runtimeauthentication module has the added benefit of decreasing processingcycles required to process data messages, as unauthentic data messageswill be discarded due to a lack of a valid message ID. Finally, amessage payload is either encrypted or decrypted with the session keyusing, e.g., an ultra-lightweight encryption module as shown in 204.

In embodiments, all the above processes may be confined to any sub-areaof the network up to and including an entire network. For exampleprocesses occurring at node DC 2 in FIG. 1, may or may not occurindependently at node DC 4. One or more of DC 4-6 and the node(s)111-133 shown connected to it may be treated as part of the network ofany other one or more DC 4-6 of which that one or more DC is the domaincontroller.

In embodiments, no particular chip or operating system is preferred toimplement any part of the disclosure and no development platform,compiler of code or toolchain is preferred. In addition the code toimplement this disclosure can be integrated any ECU software stack whichprovide CAN bus communication capability.

In embodiments, code according to embodiments of this disclosure may bedistributed as source code, object based code or in binary form.

In embodiments, the above code may or may not be implemented as alibrary.

In embodiments, the security schemes disclosed herein are implemented assoftware program instructions, although one or more aspects of theseschemes may or may not be implemented in firmware or using hardwarelogic.

In embodiments, the speed with which the keys are distributed can bevaried by configuring suitable to allow smooth running on differentcomponents of a CAN bus. For example: braking components on a car need ahigh volume of data to operate correctly whereas opening and closingwindows needs less data to operate correctly. Both sets of data may ormay not be sent via CAN bus. A channel carrying a larger amount of datamay transfer data faster. Session keys sent may be sent along suchchannels at an appropriate speed for an effective operation of arelevant component.

In embodiments, software for an encryption protocol can be added to theCAN bus code including or excluding the CAN bus kernel by the one ormore method of plugging in a physical chip containing the new code anduploading the software or by uploading software wirelessly.

In embodiments, wherever a number is required to be generated the timeat which the sampling occurs can be used as a data sampling source forthat number required.

FIG. 4 is a diagram of computer network 451 including three exemplaryenvironments, in which embodiments may be implemented. While thefollowing is described in terms of FIG. 4, the embodiments are notlimited to the environment(s) illustrated in FIG. 4. For example, anysystem having generally the structure of FIG. 4, or that would benefitfrom the operation, methods and functions as described herein may beused.

In exemplary embodiments, system 451 shows terminal clients 205-251 eachor collectively comprising one or more browser(s) 10 of terminal 247(browser also in each of other terminals, but not shown) which is/areused to connect to server(s) 500 over one or more networks W13, W14, andW15.

According to embodiments, browser 10 may include any device, applicationor module that enables a user or computer to navigate and/or retrievedata from another data source, typically over a network. Browser 10 mayinclude any conventional web browser such as those that are widelyavailable. According to further embodiments, browser 10 may also beconfigured to use any number of protocols, known now or developed in thefuture, including protocols such as HTTP, FTP, and underlying protocolssuch as TCP/IP or UDP. In embodiments, browser 10 is configured to run(or execute) web applications. Web applications are applications thatcan be hosted within a web browser or those that can be accessed, forexample, over a network such as Ethernet, the Internet, the TOR network,the dark web, the dark net or an intranet.

Browser 10 can further communicate with an input (not shown) to allow auser to input data, to input commands, or to provide other controlinformation to browser 10. Browser 10 may request content from one ormore server(s) 50, based on prior user input that is stored at one ormore terminal(s) or server(s) 50 before accessing server(s) 50, and uponwhich instructions later sent to server 50 are calculated. Server(s) 50may respond to the request by providing content back to browser 10 andclient 247 via network W13. Browser 10 may also be configured toretrieve content from server(s) 50 without user intervention.

In embodiments, network(s) W13, W14, and W15 can be any type of datanetwork or combination of data networks including, but not limited to, alocal area network (LAN) accessed locally or remotely such as via a VPN,a medium area network, or a wide area network such as the Internet.Network W13, for example, can be a wired or wireless network that allowsclient 247 and server(s) 50 to communicate with each other. Network W13can further support world-wide-web (e.g., Internet) protocols andservices.

Server(s) 50 provides CAN bus content (e.g., web pages, applications (or“apps”), audio, video, etc.) that can be retrieved by client 247 overnetwork W13. Content retrieved by client 247 can be disseminated viabrowser 10. In various embodiments, server(s) 50 and/or browser 10includes one or more features of network 200, which is described furtherbelow.

As illustrated in FIG. 4, in embodiments, a base functional component ofone aspect of the disclosure is composed of at least one of a pluralityof terminals 205 to 251, configured to be ordered by predetermineddefault settings or user-selected settings and/or software instructionsinto one or more dynamically changing and rearranging user terminalgroupings. Certain network terminals and/or systems, e.g., system 451,connect and allow exchange of information between local or far flungterminals within and from at least, but not limited to, three distincttypes of networks W13, W14, and W15.

In embodiments, terminal group 401 comprises terminals 205 to 215,terminal group 403 comprises terminals 217 to 233, and terminal group405 comprises terminals 235 to 251, each group and collective groupsillustrating flow of data, albeit on a very small scale, among andacross varied networks, such as clear network W13, dark-net or dark-webW14 (e.g., employed via The Onion Router (TOR)), and peer-to-peernetwork W15 via at least one (or more) server(s) 50. Server(s) 50receive, store, retrieve and deliver, across and at numerous andgeographically disparate locations, user account data on one or moredatabase(s) 600.

In embodiments, terminal and system operations may or may not in wholeor in part be effectuated, executed, or implemented on or via clearnetwork W13 (comprising at least all of, or just a portion of, terminalgroups 403 and 405) whereby individual terminals, server(s) 50, or acombination thereof, calculate the actions to be taken on respectivedata sets, and propagate(s) those actions out to the network viaserver(s) 50 and beyond to all other users.

In embodiments, terminal and system operations may or may not in wholeor in part effectuated, executed, or implemented on or via dark net W14(comprising at least all of, or just a portion of, terminal groups 401and 405) whereby individual terminals, server(s) 50, or a combinationthereof calculate the actions to be taken on respective data sets, andpropagate(s) those actions out to the network via server(s) 50 andbeyond to all other users.

In embodiments, terminal and system operations may or may not in wholeor in part effectuated, executed, or implemented on or via a peer topeer network W15 (comprising at least all of, or just a portion of,terminal groups 401 and 403) whereby one or more terminals, server(s)50, or a combination thereof, calculate the actions to be taken onrespective data sets, and propagate(s) those actions out to the network.

In embodiments, server(s) 50 execute instructions for user account datadeletion after a retention period—and not immediately upon server(s) 50receiving the instructions to delete certain data from one or moreterminals, and/or not immediately upon terminal(s) receiving theinstructions to delete certain data at one or more terminals.

In embodiments, at least one of terminals 205 to 251 transmitinstructions to server(s) 50 to execute instructions causing successfulencryption of associated user account object data from database(s) 600.In turn, associated account terminals, such as used by other vehicles,may (or may not) receive alerting data indicating the effectiveness ofone or more of the herein disclosed embodiments, thereby creating anacceleration and scaling of at least several of the technical advantagesof various herein disclosed embodiments.

In embodiments, each terminal may or may not be geographically remotefrom or local to the computers that access and control the storagedevices on which social network site user data are stored.

In embodiments, each terminal may or may not be part of one or moredevice set(s), the one or more device set(s) that may or may notcomprising only one or multiple—single user, entity (e.g., informalgroup) or participant—controlled, owned or used device(s).

In embodiments, any one or more of these terminal(s) or device set(s)may or may not include for example remote log-on and/or remote usage viaany Web-capable device to a Web-based ASP or peer-to-peer decentralizednetwork even though device ownership, possession and/or control is onlytemporary and/or through established via other-user-owned or installedapplications, such as by embedded or remote implementation via a widelyused social media site application or website.

In embodiments, client terminal 247 and server 50 may or may not each beimplemented on a computing device. Such a computing device includes, butis not limited to, a vehicle ECU or vehicle microcontroller, a personalcomputer, mobile device such as a mobile phone, workstation, embeddedsystem, game console, television, set-top box, or any other computingdevice that can support web browsing. Such a computing device mayinclude, but is not limited to, a device having a processor and memoryfor executing and storing instructions. Such a computing device mayinclude software, firmware, and hardware. The computing device may alsohave multiple processors and multiple shared or separate memorycomponents. Software may include one or more applications and anoperating system. Hardware can include, but is not limited to, aprocessor, memory and graphical user interface display. An optionalinput device, such as a mouse or touch screen, may be used.

System and Digital Communications Network Hardware

Another aspect of the disclosure is a computer system. Referring to FIG.5 and according to at least one embodiment, the techniques describedherein are implemented by one or more special-purpose computing devices.The special-purpose computing devices may be hard-wired to perform thetechniques, or may include digital electronic devices such as one ormore application-specific integrated circuits (ASICs) or fieldprogrammable gate arrays (FPGAs) that are persistently programmed toperform the techniques, or may include one or more general purposehardware processors programmed to perform the techniques pursuant toprogram instructions in firmware, memory, other storage, or acombination. Such special-purpose computing devices may also combinecustom hard-wired logic, ASICs, or FPGAs with custom programming toaccomplish the techniques. The special-purpose computing devices may bedesktop computer systems, portable computer systems, handheld devices,networking devices or any other device that incorporates hard-wiredand/or program logic to implement the techniques.

For example, FIG. 5 is a block diagram that illustrates a computersystem 500 upon which an embodiment may be implemented. Computer system500 includes a bus 502 or other communication mechanism forcommunicating information, and a hardware processor 504 coupled with bus502 for processing information. Hardware processor 504 may be, forexample, a general purpose microprocessor.

In embodiments, various ECUs and CAN buses may or may not be used.Non-limiting examples include, LIN, MOST, FlexRay and all variants ofthe CAN Bus including CAN 2.0 and CAN FD.

Computer system 500 also includes a main memory 506, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to bus 502for storing information and instructions to be executed by processor504. Main memory 506 also may be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 504. Such instructions, when stored innon-transitory storage media accessible to processor 504, rendercomputer system 500 into a special-purpose machine that is customized toperform the operations specified in the instructions.

Computer system 500 further includes a read only memory (ROM) 508 orother static storage device coupled to bus 502 for storing staticinformation and instructions for processor 504. A storage device 510,such as a magnetic disk or optical disk, is provided and coupled to bus502 for storing information and instructions.

Computer system 500 may be coupled via bus 502 to a display 512, such asa cathode ray tube (CRT), for displaying information to a computer user.An input device 514, including alphanumeric and other keys, is coupledto bus 502 for communicating information and command selections toprocessor 504. Another type of user input device is cursor control 516,such as a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to processor 504 and forcontrolling cursor movement on display 512. This input device typicallyhas two degrees of freedom in two axes, a first axis (e.g., x) and asecond axis (e.g., y), that allows the device to specify positions in aplane.

Computer system 500 may implement the techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 500 to be a special-purpose machine. Accordingto at least one embodiment, the techniques herein are performed bycomputer system 500 in response to processor 504 executing one or moresequences of one or more instructions contained in main memory 506. Suchinstructions may be read into main memory 506 from another storagemedium, such as storage device 510. Execution of the sequences ofinstructions contained in main memory 506 causes processor 504 toperform the process operations described herein. In alternativeembodiments, hard-wired circuitry may be used in place of or incombination with software instructions.

The terms “storage media” and “storage device” as used herein refer toany non-transitory media that store data and/or instructions that causea machine to operate in a specific fashion. Such storage media maycomprise non-volatile media and/or volatile media. Non-volatile mediaincludes, for example, optical or magnetic disks, such as storage device510. Volatile media includes dynamic memory, such as main memory 506.Common forms of storage media include, for example, a floppy disk, aflexible disk, hard disk, solid state drive, magnetic tape, or any othermagnetic data storage medium, a CD-ROM, any other optical data storagemedium, any physical medium with patterns of holes, a RAM, a PROM, andEPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.

Storage media and storage device are distinct from but may be used inconjunction with transmission media. Transmission media participates intransferring information between storage media/devices. For example,transmission media includes coaxial cables, copper wire and fiberoptics, including the wires that comprise bus 502. Transmission mediacan also take the form of acoustic or light waves, such as thosegenerated during radio-wave and infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 504 for execution. For example,the instructions may initially be carried on a magnetic disk or solidstate drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 500 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 502. Bus 502 carries the data tomain memory 506, from which processor 504 retrieves and executes theinstructions. The instructions received by main memory 506 mayoptionally be stored on storage device 510 either before or afterexecution by processor 504.

Computer system 500 also includes a communication interface 518 coupledto bus 502. Communication interface 518 provides a two-way datacommunication coupling to a network link 520 that is connected to alocal network 522. For example, communication interface 518 may be anintegrated services digital network (ISDN) card, cable modem, satellitemodem, or a modem to provide a data communication connection to acorresponding type of telephone line. As another example, communicationinterface 518 may be a local area network (LAN) card to provide a datacommunication connection to a compatible LAN. Wireless links may also beimplemented. In at least one such implementation, communicationinterface 518 sends and receives one or more of electrical,electromagnetic and optical signals (as with all uses of “one or more”herein implicitly including any combination of one or more of these)that carry digital data streams representing various types ofinformation.

Network link 520 typically provides data communication through one ormore networks to other data devices. For example, network link 520 mayprovide a connection through local network 522 to a host computer 524 orto data equipment operated by an Internet Service Provider (ISP) 526.ISP 526 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the“Internet” 528. Local network 522 and Internet 528 both use electrical,electromagnetic or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 520and through communication interface 518, which carry the digital data toand from computer system 500, are example forms of transmission media.

Computer system 500 can send messages and receive data, includingprogram code, through the network(s), network link 520 and communicationinterface 518. In at least one embodiment of the Internet example, aserver 530 might transmit a requested code for an application programthrough Internet 528, ISP 526, local network 522 and communicationinterface 518.

In embodiments, the received code may be one or more of executed byprocessor 504 as it is received, and/or stored in storage device 510, orother non-volatile storage for later execution.

Now referring to FIG. 6, in at least one embodiment a device used inaccordance with this disclosure is or comprises mobile display or touchscreen input smart phone or tablet 535, which is shown displaying directuser-to-device input message text and or image(s), or remotely receivedmessage text and/or image(s) 540. FIG. 6 shows a possible interface fora user to control one or more of the above options that may be varied,according to embodiments. In FIG. 6 a phone is shown but otherinterfaces are possible.

Computer-Readable Medium

Another aspect of the disclosure is one or more computer-readable media(or computer storage apparatus) having a program, which when executed byone or more processors, such part of one or more of the systemsdescribed herein, causes the one or more processors to enable, allow orcause devices to perform any one of the methods as variously comprisingany one or more of its various embodiments or sub-embodiments describedabove or otherwise covered by the appended claims.

In embodiments, the one or more computer-readable media arenon-transitory media such as, but not limited to HDD and SSD diskdrives, thumb and other flash drives, DVDs, CDs, various static anddynamic storage devices and other numerous storage media.

In embodiments, the one or more computer-readable media comprise or areone or more transitory electronic signals.

The following numbered clauses set forth various embodiments of thedisclosure:

1. At least one (a) computer-implemented method, (b) terminal, by way of(i) means for or (ii) software module(s) for performing operation(s), or(iii) comprising at least one processor; and at least one memory storinginstruction(s) that, when executed by the at least one processor, causethe at least one processor to, (c) system, by way of (i) means for, or(ii) software module(s) for performing operation(s), or (iii) comprisingat least one processor; and at least one memory storing instructionsthat, when executed by the at least one processor, cause the at leastone processor to, or (d) transitory or non-transitory computer-readablemedium (or alternately also herein throughout, computer storageapparatus) containing instructions which when executed by one or morecomputers each or collectively comprising one or more processors causeoperation(s), according to any one of the above or below clauses, theoperation(s) comprising:

obtaining, receiving or providing a message.

2. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising

generating at least one first key(s), and securely establishing it atmultiple nodes using at least one asymmetrically established second key,the multiple nodes including at least one message-transmitting node(s)and one or more message-receiving node(s).

3. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising

generating at least one (optionally symmetric) third key(s) at alocation of at least one node(s), the session key(s) generation beingone or more of:

(1) repetitive at a cycle speed, and

(2) simultaneous at multiple nodes, including at a location of the leastone message-transmitting node(s) and at a location of the one or moremessage-receiving node(s);

4. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising

encrypting the third key(s) using the first key(s) and distributing itin encrypted form to one or more other node(s).

5. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising

encrypting a message using at least one third key at the messagetransmitting node, to produce a ciphertext.

6. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising one or more of

(a) selectively reducing data available to, or processed by one or morecomputers communicatively connected to, a digitally stored and digitallyoperated CAN bus or LIN bus network,

(b) improving data security and

(c) increasing operational efficiency of the one or more computers orcontrollers communicatively connected to the digitally stored anddigitally operated CAN bus or LIN bus, at a terminal in a multiple-nodedigital communications network.

7. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein a CAN bus makes up all communication pathways of thenetwork.

8. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein one or more of the first key is a master key, thesecond key is a transient key, and the third key is a session key.

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

9. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the multiple node(s) have unique IDs securelypre-stored internally in the network before one or more of:

first activation;

re-activation; and

reboot,

of the network.

10. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the network is entirely internal to one or motorvehicles and comprises a secure application layer or a secure linklayer, which secures the motor vehicle network;

wherein the network stores a pre-determined list of unique IDs securelyheld in at least one memory internal to the network, optionally at oneor more domain controller, and

wherein the list is established and stored securely by relying only ondata that is pre-stored in the network before network activation.

11. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the message of one or more of the at least onemessage-transmitting node(s) and the at least one message-receivingnode(s), when executed, operably causes altering of a primary functionof one or more mechanical or electronic vehicle component(s) that isoperated based on instructions sent to one or more of the at least onemessage-transmitting node(s) and the at least one message-receivingnode(s).

12. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein a protocol used to establish the at least oneasymmetrically established second key(s) over the network usesproperties inherent to the network:

to obtain one or more bits of shared secret information and use the oneor more bits of shared secret information as at least a portion of theat least one asymmetrically established second key(s), and

to securely distribute the at least one symmetric first key(s).

13. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the properties inherent to the network include one ormore arbitration phase(s), during which one or more communicated logicalvalue, optionally ‘0’, is preferred over some other communicated logicalvalue(s), optionally ‘1’, and optionally, causing one or more of:

(1) the arbitration phase occurring irrespective of what node(s) eitherof the logical values has been communicated from;

(2) the arbitration phase creating an externally visible side channel ofinformation comprising preferred logical value transmissions from one ormore single nodes;

(3) the side channel results from and represents a collection of alltransmitted logical values;

(4) the side channel provides an additional channel that is in additionto one or more node-to-node transmission channels; and

(5) the side channel is based on multiple logical value transmissions.

14. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the arbitration phase can be activated at one or morerandom point in time, regularly scheduled time or another, optionallyselected, time, optionally a time when one or more new second key(s) isselected.

15. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the arbitration phase can be extended for any length oftime during which secret information in one or more side channel may berecorded in one or more locations in the network and securely stored,thereby reducing the necessary computational load on the network duringone or more times when a new, optionally different, version of the atleast one second key(s) is required.

16. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising at least one store having a maximum memorycapacity, the store being associated with one or more of the (optionallymessage receiving or message transmitting) node(s), the maximum capacitybeing smaller than what is required to hold the at least one secondkey(s), the store optionally being part of the at least one memory.

17. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein at least one of the participating nodes is at least onedomain controller(s), and each of the at least one domain controller(s)is able to perform at least as many computations as any other node(s)connectively linked to the at least one domain controller, and isadditionally capable of:

storing the at least first key(s) securely so that the at least firstkey(s) may be securely distributed.

18. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the multiple nodes are one or more of:

uniquely associated with one or more mechanical or electronic vehiclecomponent(s) that is operated based on instructions sent to one or moreof the at least one message-transmitting node(s) and the at least onemessage-receiving node(s);

located adjacent to one or more mechanical or electronic vehiclecomponent(s) that is operated based on instructions sent to one or moreof the at least one message-transmitting node(s) and the at least onemessage-receiving node(s);

comprising only specifically-and-uniquely-defined-by-vehicle-functionnodes at spoke ends of a hub-and-spoke CAN or hub-and-spoke LINarchitecture;

not comprising any one or more of a domain controller node, base stationnode, and master node; and

comprising any one or more of at least one domain controller node, basestation node, and master node.

19. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one first symmetric key(s) is generatedbased on multiple group elements, at least one of the group elementsfrom one or more of: [0196] each of the message-transmitting nodes inthe network;

each of the message-receiving nodes in the network; and

at least one domain controller node in the network.

20. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) is a key derived from ashared secret used to securely relay information to a node that sharesthe secret.

21. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) is discarded aftersharing information to a node.

22. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the multiple group elements are generated and sent toone or more node(s) when operation of the network starts, to enable datato be transmitted securely, thereby minimizing time-delay before networkfunctionality can be accessed.

23. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one first key(s) are generated and sent inencrypted form after the network operation starts yet before validationof one or more node(s) has occurred, to enable data to be transmittedsecurely, thereby minimizing time-delay before network functionality canbe accessed.

24. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one first key(s) are generated based onone or more of bit(s) of random or non-random data, obtained by one ormore method comprising:

sampling data stored in the network;

measuring sensor data from one or more sensor(s) associated with one ormore nodes in the network, optionally from long string(s) of data obtainor recorded at the one or more sensor(s);

combining two or more pieces of the sensor data from one or moresensor(s), by using a mathematical function.

25. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) are generated based onone or more of bit(s) of random or non-random data, obtained by one ormore method comprising:

sampling data stored in the network;

measuring sensor data from one or more sensor(s) associated with one ofmore nodes in the network, optionally from long string(s) of data obtainor recorded at the one or more sensor(s);

combining two or more pieces of the sensor data from one or moresensor(s), by using a mathematical function.

26. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein instructional messages sent in high noise environmentssuch as is found in motor vehicles can be received at the at least onemessage-receiving node(s) without certification due to non-destructivearbitration of message data.

27. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) are each independentlygenerated at two locations, both at a domain controller node, and at oneor more of

one of the message-transmitting node(s), and

one of the message-receiving node(s).

28. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) are generated based oninformation obtained from two-way, shared group element information:

(1) from each of all of the multiple nodes, to a domain controller node,and

(2) from the domain controller node to each of all of the multiplenodes, optionally wherein the domain controller node controls a set ofcomponents or systems and the shared information is shared only asbetween nodes that are associated with a strict subset of the setcontrolled by the domain controller node.

29. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one second key(s) are generated based oninformation obtained from two-way, shared group element information.

30. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one first key is generated based on all ofthe at least one second key(s) from all of the participating nodes.

31. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein distribution of the at least one first key(s) isachieved by the at least first key(s) being one or more of: [0221]encrypted at a domain controller, using at least one of the at least onesecond key(s), which is generated at a domain controller node frominformation from a first node and information from the domain controllernode, and

unencrypted at the first node, using at least oneseparately-and-remotely-at-the-first-node-generated duplicate copy ofthe at least one of the at least one second key(s), the at least one ofthe at least one second key(s) being uniquely associated with only thefirst node and the domain controller node.

32. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising;

generating the at least one symmetric third key(s) at the at least onemessage-transmitting node(s), the at least one symmetric session key(s)generation being one or more of:

repetitive at a cycle speed, and

simultaneous at the multiple or participating nodes, including at the atleast one message-transmitting node(s) and at the one or moremessage-receiving node(s).

33. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one symmetric third key(s) are generatedbased on one or more of bit(s) of random or non-random data, obtained byone or more method comprising:

sampling data stored in the network;

measuring sensor data from one or more sensor(s) associated with one ofmore nodes in the network, optionally from long string(s) of data obtainor recorded at the one or more sensor(s);

combining two or more pieces of the sensor data from one or moresensor(s), by using a mathematical function.

34. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein the at least one first key(s) is a master key, the atleast one second key(s) are multiple transient keys, one for eachnon-domain-controller node that is either, one of the message-receivingnode(s) or one of the message transmitting node(s), and

the at least one third key(s) comprises one or more session key(s),optionally further comprising encrypting at least one of the at leastone payload message(s) using the at least one third key at exactly oneof the at least one message-transmitting node(s) to produce aciphertext.

35. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, further comprising decrypting the at least one session keys atone or more message-receiving node(s) based on the master key at themessage receiving node(s) and decrypting the ciphertext at one or moremessage-receiving node(s) based on one of the session key(s).

36. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein at least one of the message-transmitting node(s) andthe message-receiving node(s) is authenticated by one or more of:

validating encrypted node IDs received at the domain controller by wayof a comparison at the domain controller of ID messages to a known listof pairs of nodes and unique IDs associated to those nodes; and

performing a runtime authentication. by requiring themessage-transmitting node(s) to provide data over a channel modulated bya message ID value that is calculated by combining the session key(s),the validated group ID(s) and another number (optionally the grouprange), and requiring the message-receiving node(s) selectively to limitinformation which is processed to what is received over the channelmodulated by the message ID.

37. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein each of the at least one message-transmitting node(s)and the one or more message-receiving node(s), comprise one or more of:

at least one constrained vehicle controller area network bus nodeallowing a data field length of up to 8 bytes;

at least one constrained vehicle local interconnect network bus nodeallowing a data field length of up to 8 bytes;

at least one controller area network bus domain controller; and

at least one local interconnect network bus domain controller.

38. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein repeated encryption and decryption occurs within a timerange being one or more of:

one or more times per instruction sent to the message-receiving node(s)according to a decision of one or more system user;

one or more times per instruction sent to the message-receiving node(s)according to a decision of a person authorized by one or more systemuser;

a pre-determined unit of time within the capabilities of availablehardware processing power; and

a unit of time determined by a computer program or a device enabled withmachine learning capabilities.

39. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein timing of one or more session key(s) being repetitivelydiscarded and replaced is randomized.

40. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein each of the at least one message-transmitting node(s)and the one or more message-receiving node(s) are established asauthentic and wherein one or more of the multiple or participatingnode(s) are secured by a master node performing one or more of:

accessing a list of node unique ID(s) wherein the list is establishedsecurely some time at or after a first activation of a vehicle'signition and stored in a secure memory of the master node;

establishing the master key and transmitting master key elements in acryptogram to the participating nodes;

receiving node unique ID(s) encrypted with the master key at one or morenode(s) and sent to the master node from the participating node(s); and

comparing the IDs received at the master node against the securelyestablished list and securely transmitting all authentic node IDs toother authentic nodes.

41. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein each of the at least one message-transmitting node(s)and the one or more message-receiving node(s) continue to beauthenticated and continuously authenticate that other node(s) aresecured by:

(1) encrypting non-instruction implementing messages comprising knownvalid group ID(s) with a current session key to form a cryptogram andmodulating over a given group range;

(2) sending the resulting cryptogram along a data channel to one or moreother node(s);

(3) decrypting messages received at the message receiving node with alast known session key received from an authentic node and comparing itto the known valid group IDs; and

(4) rejecting any one or more of the received messages and any futuremessage(s) from the at least one message-transmitting node(s) when anyone or more of the received messages is not one of the valid group IDs.

42. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein one or more of the multiple nodes validate theirauthenticity, using a unique ID as against a pre-stored list thatcontains the multiple node(s)' unique IDs, with the domain controllerafter the master key is generated.

43. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein runtime authentication of currently known sessionkey(s) at one or more node(s) implements authentication of informationtransmitted from the one or more node(s) by one or more of:

modulating one or more instructional or non-instructional message IDsderived from the session key and from at least one of the one or morenode(s), and rejecting information received at a second of the one ormore node(s) that has been incorrectly modulated based on the sessionkey in use at the message-receiving node; and

requiring that message(s) identical to a correctly modulated informationderived from the session key in use be transmitted on a channel wherethe channel is modulated by one or more of the same message or anyparticular message derived from that message.

44. A method, terminal, system or, transitory or non-transitorycomputer-readable medium according to any one of the above or belowclauses, wherein at least one of the multiple nodes is a domaincontroller.

45. A processor-based terminal, according to any one of the above orbelow clauses comprising any one or more of:

at least one processor; and at least one memory storing instructionsthat, when executed by the at least one processor, cause the at leastone processor to any one or more of:

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

46. A processor-based system according to any one of the above or belowclauses, comprising:

at least one processor; and at least one memory storing instructionsthat, when executed by the at least one processor, cause the at leastone processor to any one or more of:

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

47. A computer storage apparatus encoded with a computer programaccording to any one of the clauses above or below, the programcomprising instructions that when executed by data processing apparatuscause the data processing apparatus to perform operations, comprisingany one or more of:

generating at least one symmetric first key(s), across all participatingnodes in the multiple-node digital communications network and securelydistributing the at least one first key(s) in encrypted form to multipleparticipating nodes of the multiple-node digital communications network,using at least one asymmetrically established second key(s), theparticipating nodes including at least one message-transmitting node(s)and at least one message-receiving node(s);

generating at least one symmetric third key(s) for one or morecommunication session that includes one or more communications from theat least one message-transmitting node(s) to the message-receivingnode(s);

encrypting at least one payload message using the at least one thirdkey(s) at the at least one message-transmitting node(s), sending theencrypted at least one payload message, and receiving the encrypted atleast one payload message at the at least one message-receiving node(s);

encrypting the at least one third key(s) using the at least one firstkey(s), sending the encrypted at least one third key(s), and receivingthe encrypted at least one third key(s) at the at least onemessage-receiving node(s);

decrypting the at least one third key(s) using the securely distributedat least one first key(s), at the at least one message-receivingnode(s); and

decrypting the at least one encrypted payload message using thedecrypted at least one third key(s), at the at least onemessage-receiving node(s).

Embodiments can work with software, hardware, and/or operating systemimplementations other than those described herein. Any software,hardware, and operating system implementations suitable for performingthe functions described herein can be used. Embodiments are applicableto both a client and to a server or a combination of both.

While it is apparent that the illustrative embodiments of the disclosureherein fulfil one or more objectives or inventive solutions, it isappreciated that numerous modifications and other embodiments may bedevised by those skilled in the art. Additionally, feature(s) and/orelement(s) from any embodiment may be used singly or in combination withother embodiment(s). Therefore, it will be understood that the appendedclaims are intended to cover all such modifications and embodiments thatwould come within the spirit and scope of the present disclosure.

The above embodiments are to be understood as illustrative examples ofthe disclosure. Further embodiments of the disclosure are envisaged. Itis to be understood that any feature described in relation to any one orone set of embodiments may be used alone, or in combination with otherfeatures described, and may also be used in combination with one or morefeatures of any other of the embodiments, or any combination of anyother of the embodiments. Furthermore, equivalents and modifications notdescribed above may also be employed without departing from the scope ofthe disclosure, which is defined in the accompanying claims.

1-30. (canceled)
 31. A method of increasing operational efficiency ofone or more computers or controllers at a terminal in a multiple-nodedigital communications network, comprising: generating a symmetric firstkey; securely distributing the symmetric first key in encrypted form toparticipating nodes of the multiple-node digital communications network,using an asymmetrically established second key, the participating nodesincluding a message-transmitting node and a message-receiving node;generating a symmetric third key for one or more communication sessionsthat include communications from the message-transmitting node to themessage-receiving node; encrypting a payload message using the symmetricthird key at the message-transmitting node; sending the encryptedpayload message from the message-transmitting node; receiving theencrypted payload message at the message-receiving node; encrypting thesymmetric third key using the symmetric first key, sending the encryptedsymmetric third key, and receiving the encrypted symmetric third key atthe message-receiving node; decrypting the symmetric third key using thesecurely distributed symmetric first key, at the message-receiving node;and decrypting the encrypted payload message using the decryptedsymmetric third key, at the message-receiving node, wherein themultiple-node digital communications network is a motor vehicle networkentirely internal to a motor vehicle.